Skip to content
  • About
  • Contact
  • Contribute
  • Book
  • Careers
  • Podcast
  • Recommended
  • Speaking
  • All
  • Physician
  • Practice
  • Policy
  • Finance
  • Conditions
  • .edu
  • Patient
  • Meds
  • Tech
  • Social
  • Video
    • All
    • Physician
    • Practice
    • Policy
    • Finance
    • Conditions
    • .edu
    • Patient
    • Meds
    • Tech
    • Social
    • Video
    • About
    • Contact
    • Contribute
    • Book
    • Careers
    • Podcast
    • Recommended
    • Speaking

Protecting health apps on the web from the evils of the Internet

John Halamka, MD
Tech
October 3, 2011
Share
Tweet
Share

The Internet can be a swamp of hackers, crackers, and hucksters attacking your systems for fun, profit and fraud.  Defending your data and applications against this onslaught is a cold war, requiring constant escalation of new techniques against an ever increasing offense.

Clinicians are mobile people.  They work in ambulatory offices, hospitals, skilled nursing facilities, on the road, and at home.   They have desktops, laptops, tablets, iPhones and iPads.  Ideally their applications should run everywhere on everything.   That’s the reason we’ve embraced the web for all our built and bought applications.   Protecting these web applications from the evils of the Internet is a challenge.

Five years ago all of our externally facing web sites were housed within the data center and made available via network address translation (NAT)  through an opening in the firewall.   We performed periodic penetration testing of our sites.  Two years ago, we installed a Web Application Firewall (WAF) and proxy system.    We are now in the process of migrating all of our web applications from NAT/firewall accessibility to WAF/Proxy accessibility.

We have a few hundred externally facing web sites.  From a security view there are only two types, those that provide access to protected health information content and those that do not.   Fortunately more are in the latter than the former.

One of the major motivations for creating a multi-layered defense was the realization that many vendor products are vulnerable and even when problems are identified, vendors can be slow to correct defects.   We need  “zero day protection” to secure purchased applications against evolving threats.

Technologies to include in a multi-layered defense include:

1.  Filter out basic network probes at the border router such as traffic on unused ports

2.  Use Intrusion Prevention Systems (IPS)  to block common attacks such as SQL Injection and cross site scripting. We block over 10,000 such attacks per day.   You could implement multiple IPSs from different vendors to create a suite of features including URL filtering  which prevent internal users from accessing known malware sites.

3.  A classic firewall and Demilitarized Zone (DMZ)  to limit the “attack surface“.

Policies and procedures are an important aspect of maintaining a secure environment.   When a request is made to host a new application, we start with a Nessus vulnerability scan.

Applications must pass the scan before we will consider hosting them.   We built a simple online request form for these requests for access to both track the requests and keep the data a SQL data base.    This provides the data source for an automated re-scan of each system.

Penetration testing of internally written applications is a bit more valuable because they are easier to update/correct based on the findings of penetration tests.

One caveat.   The quality of penetration testing is highly variable.    When we hire firms to attack our applications, we often get a report filled with theoretical risks that are not especially helpful i.e. if your web server was accidentally configured to accept HTTP connections instead of forced HTTPS connections, the application would be vulnerable.   That’s true and if a meteor struck our data center, we would have many challenges on our hands.  When choosing a penetration testing vendor, aim for one that can put their findings in a real world context.

ADVERTISEMENT

Thus, our mitigation strategy is to apply deep wire based security, utilize many tools including IPS, traditional firewalls, WAF and proxy servers, and perform periodic re-occurring internal scans of all systems that are available externally to our network.

Of course, all of this takes a team of trained professionals.

I hope this is helpful for your own security planning.

John Halamka is Chief Information Officer of Beth Israel Deaconess Medical Center and blogs at Life as a Healthcare CIO.

Submit a guest post and be heard on social media’s leading physician voice.

Prev

Lawsuits are more of an emotional issue than a financial one

October 3, 2011 Kevin 7
…
Next

Universal board certification can solve the Doctor Nurse controversy

October 3, 2011 Kevin 18
…

Tagged as: Health IT

Post navigation

< Previous Post
Lawsuits are more of an emotional issue than a financial one
Next Post >
Universal board certification can solve the Doctor Nurse controversy

ADVERTISEMENT

More by John Halamka, MD

  • The future of EHR: Here are 5 predictions

    John Halamka, MD
  • 10 crucial guidelines for health care IT

    John Halamka, MD
  • 5 health care IT tips for President Trump

    John Halamka, MD

More in Tech

  • Why Grok 4 could be the next leap for HIPAA-compliant clinical AI

    Harvey Castro, MD, MBA
  • AI is already replacing doctors—just not how you think

    Bhargav Raman, MD, MBA
  • A mind to guide the machine: Why physicians must help shape artificial intelligence in medicine

    Shanice Spence-Miller, MD
  • How digital tools are reshaping the doctor-patient relationship

    Vineet Vishwanath
  • The promise and perils of AI in health care: Why we need better testing standards

    Max Rollwage, PhD
  • 3 tips for using AI medical scribes to save time charting

    Erica Dorn, FNP
  • Most Popular

  • Past Week

    • Forced voicemail and diagnosis codes are endangering patient access to medications

      Arthur Lazarus, MD, MBA | Meds
    • The One Big Beautiful Bill and the fragile heart of rural health care

      Holland Haynie, MD | Policy
    • America’s ER crisis: Why the system is collapsing from within

      Kristen Cline, BSN, RN | Conditions
    • Why timing, not surgery, determines patient survival

      Michael Karch, MD | Conditions
    • How early meetings and after-hours events penalize physician-mothers

      Samira Jeimy, MD, PhD and Menaka Pai, MD | Physician
    • FDA delays could end vital treatment for rare disease patients

      GJ van Londen, MD | Meds
  • Past 6 Months

    • Forced voicemail and diagnosis codes are endangering patient access to medications

      Arthur Lazarus, MD, MBA | Meds
    • How President Biden’s cognitive health shapes political and legal trust

      Muhamad Aly Rifai, MD | Conditions
    • Why are medical students turning away from primary care? [PODCAST]

      The Podcast by KevinMD | Podcast
    • The One Big Beautiful Bill and the fragile heart of rural health care

      Holland Haynie, MD | Policy
    • Why “do no harm” might be harming modern medicine

      Sabooh S. Mubbashar, MD | Physician
    • Here’s what providers really need in a modern EHR

      Laura Kohlhagen, MD, MBA | Tech
  • Recent Posts

    • Healing beyond the surface: Why proper chronic wound care matters

      Alvin May, MD | Conditions
    • Why specialist pain clinics and addiction treatment services require strong primary care

      Olumuyiwa Bamgbade, MD | Conditions
    • Dear July intern: It’s normal to feel clueless—here’s what matters

      Tomi Mitchell, MD | Education
    • Who gets to be well in America: Immigrant health is on the line

      Joshua Vasquez, MD | Policy
    • When a medical office sublease turns into a legal nightmare

      Ralph Messo, DO | Physician
    • Why the heart of medicine is more than science

      Ryan Nadelson, MD | Physician

Subscribe to KevinMD and never miss a story!

Get free updates delivered free to your inbox.


Find jobs at
Careers by KevinMD.com

Search thousands of physician, PA, NP, and CRNA jobs now.

Learn more

Leave a Comment

Founded in 2004 by Kevin Pho, MD, KevinMD.com is the web’s leading platform where physicians, advanced practitioners, nurses, medical students, and patients share their insight and tell their stories.

Social

  • Like on Facebook
  • Follow on Twitter
  • Connect on Linkedin
  • Subscribe on Youtube
  • Instagram

ADVERTISEMENT

  • Most Popular

  • Past Week

    • Forced voicemail and diagnosis codes are endangering patient access to medications

      Arthur Lazarus, MD, MBA | Meds
    • The One Big Beautiful Bill and the fragile heart of rural health care

      Holland Haynie, MD | Policy
    • America’s ER crisis: Why the system is collapsing from within

      Kristen Cline, BSN, RN | Conditions
    • Why timing, not surgery, determines patient survival

      Michael Karch, MD | Conditions
    • How early meetings and after-hours events penalize physician-mothers

      Samira Jeimy, MD, PhD and Menaka Pai, MD | Physician
    • FDA delays could end vital treatment for rare disease patients

      GJ van Londen, MD | Meds
  • Past 6 Months

    • Forced voicemail and diagnosis codes are endangering patient access to medications

      Arthur Lazarus, MD, MBA | Meds
    • How President Biden’s cognitive health shapes political and legal trust

      Muhamad Aly Rifai, MD | Conditions
    • Why are medical students turning away from primary care? [PODCAST]

      The Podcast by KevinMD | Podcast
    • The One Big Beautiful Bill and the fragile heart of rural health care

      Holland Haynie, MD | Policy
    • Why “do no harm” might be harming modern medicine

      Sabooh S. Mubbashar, MD | Physician
    • Here’s what providers really need in a modern EHR

      Laura Kohlhagen, MD, MBA | Tech
  • Recent Posts

    • Healing beyond the surface: Why proper chronic wound care matters

      Alvin May, MD | Conditions
    • Why specialist pain clinics and addiction treatment services require strong primary care

      Olumuyiwa Bamgbade, MD | Conditions
    • Dear July intern: It’s normal to feel clueless—here’s what matters

      Tomi Mitchell, MD | Education
    • Who gets to be well in America: Immigrant health is on the line

      Joshua Vasquez, MD | Policy
    • When a medical office sublease turns into a legal nightmare

      Ralph Messo, DO | Physician
    • Why the heart of medicine is more than science

      Ryan Nadelson, MD | Physician

MedPage Today Professional

An Everyday Health Property Medpage Today
  • Terms of Use | Disclaimer
  • Privacy Policy
  • DMCA Policy
All Content © KevinMD, LLC
Site by Outthink Group

Leave a Comment

Comments are moderated before they are published. Please read the comment policy.

Loading Comments...